IntroConcAnalysisPreviousSystemsRotors 111000010100001000101100101101001001111001101010100100101000011101101011100000100111000011011101001000110100101010001110011010011111100100100.

Slides:



Advertisements
Similar presentations
Cryptography encryption authentication digital signatures
Advertisements

Using Cryptography to Secure Information. Overview Introduction to Cryptography Using Symmetric Encryption Using Hash Functions Using Public Key Encryption.
Classical Encryption Techniques Week 6-wend. One-Time Pad if a truly random key as long as the message is used, the cipher will be secure called a One-Time.
Lee Jae-song 1.  How to cryptanalysis DES?  C = E K (P)  E is DES encryption funtion  K is a key, 56-bit.  P is a plaintext, C is a ciphertext, both.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Making “Good” Encryption Algorithms
Cryptology  Terminology  plaintext - text that is not encrypted.  ciphertext - the output of the encryption process.  key - the information required.
Lecture 2.1: Private Key Cryptography -- I CS 436/636/736 Spring 2013 Nitesh Saxena.
Block Ciphers and the Data Encryption Standard
Enigma Meghan Emilio Faculty Sponsor: Ralph Morelli (Computer Science)
CS 555Topic 11 Cryptography CS 555 Topic 1: Overview of the Course & Introduction to Encryption.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Sigaba 1 Sigaba Sigaba 2 Sigaba  Used by Americans during WWII o And afterwards (to about 1948)  Never broken o Germans quit collecting, considered.
CSE331: Introduction to Networks and Security Lecture 17 Fall 2002.
McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.
CYPHER INDEX n Introduction n Background n Demo INTRODUCTION n Cypher is a software toolkit designed to aid in the decryption of standard (historical)
Lecture 2.2: Private Key Cryptography II CS 436/636/736 Spring 2012 Nitesh Saxena.
Enigma Meghan Emilio Advisor: Professor Ralph Morelli April 2004.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
Computer Security CS 426 Lecture 3
Classical Encryption Techniques
CSE 651: Introduction to Network Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Chapter 2 – Classical Encryption Techniques
Cryptography Week-6.
Cryptanalysis. The Speaker  Chuck Easttom  
History and Background Part 1: Basic Concepts and Monoalphabetic Substitution CSCI 5857: Encoding and Encryption.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Chapter 2 Basic Encryption and Decryption. csci5233 computer security & integrity 2 Encryption / Decryption encrypted transmission AB plaintext ciphertext.
Cryptography Programming Lab
Week 2 - Wednesday.  What did we talk about last time?  Encryption  Shift ciphers  Transposition ciphers.
One-Time Pad Or Vernam Cipher Sayed Mahdi Mohammad Hasanzadeh Spring 2004.
Lec. 5 : History of Cryptologic Research II
Topic 21 Cryptography CS 555 Topic 2: Evolution of Classical Cryptography CS555.
Day 18. Concepts Plaintext: the original message Ciphertext: the transformed message Encryption: transformation of plaintext into ciphertext Decryption:
 Classic Crypto  Slides based on those developed by Dr. Lawrie Brown at the Australian Defence Force Academy, University College, UNSW  See
1 Chapter 2-1 Conventional Encryption Message Confidentiality.
National Institute of Science & Technology Cryptology and Its Applications Akshat Mathur [1] Cryptology and Its Applications Presented By AKSHAT MATHUR.
Symmetric-Key Cryptography
Module :MA3036NI Cryptography and Number Theory Lecture Week 3 Symmetric Encryption-2.
Terminology and classical Cryptology
CSCI 5857: Encoding and Encryption
Classical Crypto By: Luong-Sorin VA, IMIT Dith Nimol, IMIT.
Lecture 3 Page 1 Advanced Network Security Review of Cryptography Advanced Network Security Peter Reiher August, 2014.
Computer Security Cryptography. Cryptography Now and Before  In the past – mainly used for confidentiality  Today –Still used for confidentiality –Data.
Data Security and Encryption (CSE348) 1. Lecture # 3 2.
NEW DIRECTIONS IN CRYPTOGRAPHY Made Harta Dwijaksara, Yi Jae Park.
Lecture 23 Symmetric Encryption
The Storyboard stage. Mention what will be your animation medium: 2D or 3D Mention the software to be used for animation development: JAVA, Flash, Blender,
K. Salah1 Cryptography Module I. K. Salah2 Cryptographic Protocols  Messages should be transmitted to destination  Only the recipient should see it.
DES Analysis and Attacks CSCI 5857: Encoding and Encryption.
Symmetric Cipher Model Plaintext input 1- encryption algorithm 2- secret key Encryption Cipher text output Cipher text input 1- Decryption algorithm 2-
The Enigma Machine Eric Roberts CS 106A February 3, 2016.
Lecture 2 (Chapter 2) Classical Encryption Techniques Prepared by Dr. Lamiaa M. Elshenawy 1.
Lecture 5 Page 1 CS 236 Online More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers.
Prof. Wenguo Wang Network Information Security Prof. Wenguo Wang Tel College of Computer Science QUFU NORMAL UNIVERSITY.
@Yuan Xue CS 285 Network Security Block Cipher Principle Fall 2012 Yuan Xue.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
Chapter 2 Basic Encryption and Decryption
Cryptography and Network Security
History and Background Part 3: Polyalphabetic Ciphers
Outline Some Basic Terminology Symmetric Encryption
An electro-mechanical rotor cipher machine created by the German engineer Arthur Scherbius.
Cryptanalysis Network Security.
Presentation transcript:

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Cryptanalysis of the SIGABA and Related Cryptosystems Michael S. Lee Master’s Thesis Defense June 11 th, 2003

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Thesis Committee Alan Konheim, Chair Richard Kemmerer Giovanni Vigna

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Overview Introduction Rotors Rotor-based Cryptosystems Previous Work Cryptanalysis Conclusion Introduction

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Overview Introduction Rotors Rotor-based Cryptosystems Previous Work Cryptanalysis Conclusion Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Overview Introduction Rotors Rotor-based Cryptosystems Previous Work Cryptanalysis Conclusion Rotor Systems

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Overview Introduction Rotors Rotor-based Cryptosystems Previous Work Cryptanalysis Conclusion Previous Work

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Overview Introduction Rotors Rotor-based Cryptosystems Previous Work Cryptanalysis Conclusion Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Overview Introduction Rotors Rotor-based Cryptosystems Previous Work Cryptanalysis Conclusion

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Introduction Feel free to ask questions Use the handout Introduction

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Cryptography in 3 Minutes Cryptography –Encryption –Decryption –Transposition –Substitution Monoalphabetic Polyalphabetic Cryptanalysis Introduction ABCDEFGHIJKLMNOPQRSTUVWXYZ x transposition_ y rtnapssotioi_n x substitution y vxevwlwxwlrq

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Rise of the Machines A lot of arithmetic People are bad at arithmetic Machines are developed for –Speed –Accuracy Introduction

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense State of the Art – 1400s Cryptographic machines –Mechanical Introduction Jefferson’s Cipher Machine

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense State of the Art – 1930s Cryptographic machines –Electromechanical Introduction German Enigma American SIGABA

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Tangent: Cryptographic Rotors Rotors Disc Axis Teeth Contacts Internal Wiring A Rotor

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Rotor Wiring Rotors are wired using a 1-to-1 mapping Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Rotor Wiring This substitution is denoted  y i =  (x i ) Rotors Substitution Table xixi (xi)(xi) xixi (xi)(xi) ABCDEFGHIJKLMNOPQRSTUVWXYZ

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Polyalphabetic Substitutions If the rotor moves, it could describe different substitutions as it advances Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Polyalphabetic Substitutions The encryption equation using the shift: y i =  (x i – A i ) + A i y i =  ( D – 4) + 4 y i =  (25) + 4 y i = The original  can be used regardless of the shift. Rotors ABCDEFGHIJKLMNOPQRSTUVWXYZ y i =  (3 – 4) + 4 = Q Substitution Table xixi 012 … (xi)(xi) xixi … (xi)(xi)

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Polyalphabetic Substitutions If the rotor moves, it could describe different substitutions as it advances Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Multiple Rotors Using more than one rotor gives: –Longer Period –Greater Complexity Rotors must move independently, intelligently Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Multiple Rotors Encryption equation with multiple rotors: y i =  n ( …  2 (  1 (x i – A i ) + A i – B i ) + B i … – N i ) + N i Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Interval Wiring Rotors should produce many different substitutions Straight-through wiring Interval method wiring Rotors

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense SIGABA v. Enigma Problems with the Enigma –Reflecting rotor –Predictable rotor movements –Key Exchange Problem Rotor Systems

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Cipher Rotors Rotor Systems Plaintext Letter From Keyboard Ciphertext Letter to Printer Control Signals

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Stepping Maze – Index Rotors Rotor Systems

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Stepping Maze – Control Rotors Rotor Systems Active Signals Stepping Signals

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense SIGABA Usage Insert Index (small) Rotors (from key list) Insert the 10 big rotors (line up O s) Check for errors in rotor placement Line up O s again Set Control Rotors to message indicator Begin encryption During encryption, Z is treated as a space Rotor Systems

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Previous Work Savard-Pekelney Cryptanalysis [1999] –Exhaustive Key Trial log 2 (10! × 2 10 × 26 5 × 10 5 ) = 71.9 –Multiple Ciphertext Cryptanalysis Intercept many (10-15) ciphertexts such that… Every ciphertext uses the same key Isolate movements of the outer rotors (C 1 and C 5 ) Recover substitutions of outer rotors Continue with inner rotors Previous Work

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Preliminaries – Cribbing A crib is a segment of text believed to appear in the plaintext Cribbing is the search for the crib within the ciphertext Choosing good cribs is not difficult Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Preliminaries – Rotorstreams The SIGABA uses the stepping maze We can simulate stepping maze outputs A rotorstream, denoted a, is defined as: a = (a 0, a 1, …, a n-2 ), a i  {0,1} A i = A 0 if i=0 A i = A i-1 + a i-1 otherwise Breaking this model is at least as difficult as breaking the SIGABA Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Overview Given –ciphertext enciphered with 1 rotor –a crib in the ciphertext Find –internal wiring –the position of the crib Potential work: 2 s, where s is length of y Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Strategy Assume the crib is at a certain position Generate a bitstream Check the bitstream against the guessed position by looking for inconsistencies Consistency test: y i – A i =  (x i – A i ) y i – A i = y j – A j  x i – A i = x j – A j Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Strategy Extend the rotorstream bit by bit, and discard candidates that have associated contradictions Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Contradiction! Cryptanalysis i aiai AiAi xixi COMPUTERCOM x i -A i COLNSRBNYJG y i -A i EGKHASWHNPH yiyi EGLJCUZLRUN

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Success! Cryptanalysis i aiai AiAi xixi COMPUTERCOMMUNICATIO x i -A i COLNSRBNYJHHPHBURKZE y i -A i EGKHASWHNPIIFIWXSLMT yiyi EGLJCUZLRUNNKODFBUVD

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Finding the Crib Cryptanalysis CribCrib Position Length ::

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense One-Rotor – Results After running the algorithm with a sufficiently long crib (~20 chars), we find: –The location of the crib in the ciphertext –A portion of the rotor’s internal wiring With a longer crib (~60 chars), the internal wiring can be fully determined. Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Overview Previous attack needs too much crib. (~60 chars even for the single-rotor case) New attack model assumes that a machine has been captured. Given rotor wirings and a ciphertext, find –Plaintext –The order of the cipher rotors –The rotors’ positions and rotorstreams Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Strategy First, find the position of the crib in the ciphertext. Find the positions of the cipher rotors at that point in the ciphertext. Extend the crib from that position to recover the entire plaintext. Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Cribbing Previous attack: –We knew a long crib –Looked for inconsistencies in the substitution Current attack: –We know the substitution –Look for rotor movements that contradict the known substitution Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – More Cribbing Assume the crib starts at a certain point Consider the first letter pair (x 0,y 0 ) Find positions (A 0, B 0 ) that could produce that pair (one position per rotor) For each set of positions, try the next pair (A i+1, B i+1 )  { (A i, B i ), (A i, B i +1), (A i +1, B i ), (A i +1, B i +1) } Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Yet More Cribbing Many of the new (A i+1, B i+1 ) will not lead to positions consistent with (x i+1, y i+1 ) Continue with the survivors and process the other crib letters Now for an SSH Example! Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Finding the Crib Cryptanalysis CribCrib Position Length :: CribRotor Order Length 1R 2R 2R 1R ::

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Results of Cribbing After cribbing, we know –The order of the cipher rotors –The position of the crib within the text –The rotational positions of the rotors at the crib The next step uses this information to recover the rest of the plaintext Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Extending the Crib There are 2 n ways that n rotors can move after each letter is encrypted. To decipher m letters, the total number of possible rotorstreams is (2 n ) m. Strategy: –Generate rotorstreams of increasing length –Test for and discard bad rotorstreams Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Test 1 – Markov Model Markov models statistical models that can be applied to languages The model is created from statistical properties of a sample of text The sample used in this project is the text of English novels totaling 6MB Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Test 1 – Markov Model First count all the 2-grams and 3-grams count 2 (i,j) count 3 (i,j,k) Compute relative probability of 2-grams twograms =  count 2 (i,j)  (i,j) = count 2 (i,j) / twograms Compute conditional probability of 3-grams P(k / (i,j)) = count 3 (i,j,k) / count 2 (i,j)  (i,j) and P(k / (i,j)) form the Markov model Cryptanalysis i,j

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Test 1 – Markov Model Test a string S=(s 0,s 1,…,s m-1 ) with the model X : Pr(X 0 =s 0,X 1 =s 1,…,X m-1 =s m-1 ) =  (s 0,s 1 )  P(s i / (s i-2,s i-1 )) Higher scores are more likely to be English A cutoff can be used to eliminate low scores Problems: –False positives –False negatives Cryptanalysis i=2 m-1

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Test 2 – aspell/pspell Standard spell checking utilities in Unix A “word” is any group of letters between spaces Every word is checked using pspell Problems: –False positives –False negatives Custom word lists can be developed Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Test 3 – Manual Removal When 3 or more rotors are used, there are still too many strings that pass The user can be asked to weed out bad strings Another SSH example! Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense n-Rotor – Conclusion Each of the three steps filters out a huge number of possible plaintexts Even so, there is a lot of computation Adding more rotors will make the problem harder, but still manageable Cryptanalysis

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Conclusion The SIGABA represents advanced rotor- based cryptosystem design Methods have been proposed that will compromise SIGABA and similar cryptosystems where rotors are advanced by pseudorandom bitstreams Conclusion

IntroConcAnalysisPreviousSystemsRotors Michael Lee – Thesis Defense Thank You for Coming! Note stereotypical use of “random” bits for decoration Sponsored by Alpha Team – F’02 “We 0wn3d gorbels and cdidit” I’ve only used PPT twice in my life … both times were for Dr. Konheim … he hates Powerpoint … so do I Conclusion Curby